Enable automatic Istio sidecar proxy injection
Enabling automatic sidecar injection allows istiod
to watch all Pod creation operations on all Namespaces, which should be part of Istio Service Mesh, and inject the newly created Pods with a sidecar proxy.
You can enable sidecar proxy injection for either an entire Namespace or a single Deployment.
To enable sidecar proxy injection for a Namespace, set the istio-injection label value to
enabled
for the Namespace in which you want to enable the sidecar proxy injection. Use this command:Click to copykubectl label namespace {YOUR_NAMESPACE} istio-injection=enabledTo enable sidecar proxy injection for a Deployment, add this to the Deployment configuration file as either a label or an annotation:
sidecar.istio.io/inject: "true"
Note that the Namespace label takes precedence over the Pod label or annotation.
Read the Istio documentation to learn more about sidecar proxy injection and consider benefits of having the sidecar container inside your application pod.
If there are issues with the Istio sidecar, you can check whether there is an issue with the sidecar injection or a mismatching Istio version.
Check whether your workloads have automatic Istio sidecar injection enabled
You can easily check whether your workloads have automatic Istio sidecar injection enabled by running this script. You can either pass a namespace parameter to the script or run it with no parameter.
If no parameter is passed, the execution output will contain Pods from all Namespaces that don't have automatic Istio sidecar injection enabled, whereas passing the parameter results in the analysis of only the given Namespace.
The script outputs the information in {namespace}/{pod}
if run for all Namespaces and in {pod}
form for a specific Namespace.
- Run the script
./sidecar-analysis.sh {namespace}
Example output
./sidecar-analysis.sh
Click to copyPods out of istio mesh:In namespace labeled with "istio-injection=disabled":- sidecar-disabled/some-podIn namespace labeled with "istio-injection=enabled" with pod labeled with "sidecar.istio.io/inject=false":- sidecar-enabled/some-podIn not labeled ns with pod not labeled with "sidecar.istio.io inject=true":- no-label/some-pod./sidecar-analysis.sh some-namespace
Click to copyPods out of istio mesh in namespace some-namespace:- some-pod